Is Facial Recognition The Next Privacy Battleground?

While much recent retail technology buzz has focused on the promise and peril of Apple’s iBeacons, another identity tech has matured: facial recognition. It’s now powerful enough to let stores use cameras to link customers’ faces to information stored in databases—but it’s also finding use in industrial and transportation settings, where it can be used to keep people away from sensitive areas. But are we ready for this tech to start linking personal data with our faces without our knowledge?

Legally, there’s nothing stopping American businesses from doing so. A recent BBC article posited the future concern that retail businesses could compare photos taken in-store with databases drawing from data found on the Internet—like databases of social media or Facebook users. But no business wants to be the first on its block to start scanning customer faces and get caught with data the customer didn’t want collected, says Joe Rosenkrantz, CEO of FaceFirst, a Los Angeles-based company that sells facial recognition systems. Instead, FaceFirst‘s retail clients mainly use the company’s biometric analytics to track known shoplifters.

FaceFirst’s facial analysis software requires a minimum of one megapixel of resolution for its facial recognition to work (you can find 1.3MP security cameras for $150 online), but the software isn’t restricted to fixed cameras: It’s designed to work with smartphones. Armed with an iPhone, employees can snap customer photos and upload them to FaceFirst’s analytics servers to compare with database entries.

Rosenkrantz and his cofounders started FaceFirst in 2007 when they recognized that facial recognition algorithms had become mature and accurate, but there were no platforms for enterprise deployment. Even now, FaceFirst has few competitors that can rapidly scale up a facial recognition system for thousands of stores, say—or process a massive database to help keep a bus terminal or airport secure.

It takes a ton of bandwidth to deal with live HD video and biometric data.

Simply put, FaceFirst’s system has a camera take a photo of a person’s face, analyze it on a 128-by-128-point (for a total of 16,384 reference points) facial overlay grid, and compare it to faces in a database. The client chooses the database, which can be any size, but the larger the database, the more processing power it’ll take to get a timely comparison result. When someone snaps a photo, FaceFirst’s system compares those reference points to entries in the database, giving a percentage match. The client decides what the accuracy threshold should be, with 80%-90% the default threshold to trigger alerts.

It takes a ton of bandwidth to deal with live HD video and biometric data, but FaceFirst has spent years whittling down file sizes to streamline high-scale enterprise demand. Further, the company built a web-based portal for global access to the facial recognition system, even from smartphones.

The facial recognition algorithm FaceFirst uses has been vastly improved since its introduction in the early ’90s, Rosenkrantz says. More intermediate steps between acquisition and match filter lighting and choose the best pose from a series of photos that aligns with the algorithm’s facial grid. The algorithm marks those grid reference points on-site, sending only biometric data to the database comparison engine, saving bandwidth.

This speed and mobile access lets retail businesses intercept suspicious parties quickly. But FaceFirst doesn’t just have clients looking to bolster loss prevention: The company has created a custom mobile app for law enforcement and sold their services to 71 police agencies, Rosenkrantz says. The largest police agency database among FaceFirst’s clients has 8 million entries—and processing that data more quickly for officers on the move has obvious advantages.

I don’t think that people in general are able to grasp or gather how companies share data.

Despite ongoing controversy over technology-related privacy violations, America is one of the few developed nations without a universal or federal privacy law governing how data is collected and shared. The Electronic Frontier Foundation has been up in arms about data privacy in general, but the organization is especially concerned about data collection in the retail sphere.

“I don’t think that people do understand that yet, but I don’t think that people in general are able to grasp or gather how companies share data,” says Jennifer Lynch, legal counsel for the EFF. “It’s definitely something to be concerned about, especially with data leakage along the way, and to think about how many cameras are already in society.”

“Facial recognition, like any biometric, is unique to an individual—like a Social Security number or driver’s license or credit card number, it can’t be changed. So if there’s ever a security breach, it could really impact an individual more than we have seen in the recent Home Depot and Target data leaks,” Lynch says. “It impacts the fundamental values of being able to participate in society anonymously.”